- Products & Solutions
- Access choices
- Application performance management
- Internet services
- IP address management
- Managed network services
- Virtual Private Network Services
- Network services solutions
- Business technology services
- CRM professional services
- IT professional services
- Network professional services
- Unified communications professional services
- Field force automation
- Flexible working services
- Managed mobility services
- Secure remote access
- Telecom expense management
- Mobility solutions
- Why BT
We are proud that our work is recognized time and again by customers, analysts and professional organizations.
Learn how organizations just like yours get better when they work with us.
Innovation is at the heart of BT’s business.
Catch up on the thoughts and opinions of our experts in our blog.
Explore and debate the big issues with us as we bring together the latest insight on the hottest IT trends.
How we put our customer first.
- About us
We’re well placed to be your trusted partner as you digitally transform your business.
Where the exchange of fresh ideas and information gets up close and personal.
Meet Luis Alvarez, CEO, Global Services and the rest of his leadership team.
- My Account
05 April 2017
Blogs by author: Bryan K. Fite , Account CISO, BT.
You can patch known bugs in your system, but what about the ones you don’t know about? Here’s why ‘the disclosure game’ is vital to your cyber security.
An eventful trip to Troopers.
I’m just back from Troopers, the best hacker conference in the world. This year, it celebrated ten years of trying to make the world a safer place. I had planned to provide a full post-Troopers report in this blog, but there’s just too much to report for a single blog post.
I enjoyed ‘killer keynotes’, RF, IPv6, Telecosec workshops, general sessions, round tables, an epic Packetwars battle, speaker dinner, surprise presenter (@thegrugq!) and — oddly enough — several incredibly relevant (if esoteric) book suggestions. How could I fit it all in?
So I’ll resist the urge to overload you. Rather, I want to focus on something I call ‘the disclosure game’ — a running theme through much of my interaction with others in attendance.
Finding bugs in a system.
It was great seeing all my friends, fellow researchers and security professionals at Troopers. However, while I was there, it dawned on me that all these people are hackers — whether they identify themselves as hackers or not. And the disclosure game relates to how all of us hackers react when we discover a bug in any system.
The passion, drive and need to understand ‘how’ things work is one of the core characteristics of the hacker psyche. Often, through their journey of discovery, a hacker or security researcher will discover a vulnerability, bug and/or relevant flaw in a system. One that can cause it to operate outside of its intended function, fail or otherwise ‘break’.
Most system vulnerabilities relate to software bugs, which can be patched. And the longer a bug (aka vulnerability) is known about but remains unpatched, the higher the risk to the system.
Why disclosure matters.
This is where privately known bugs (often referred to as ‘0-Day’) can provide adversaries with a dangerous capability should they be weaponised. I often refer to the Exposure Index when talking about these threats.
Exposure of a bug is critical. The more entities that know about the bug, the more likely tools will be developed to detect or exploit the bug. This is where the disclosure game makes all the difference — with different vulnerability disclosures tipping the balance between a security breach and a successful patch.
Cyber defences depend on disclosure stakeholders.
So what is the best form of vulnerability disclosure? As with most questions, the answer is: it depends.
If you’re a nation state, you might horde weaponised versions to build a cyber arsenal. If you’re a glory hound, you might drop all the details in a public forum and watch the world react. If you’re a freelance entrepreneur, you might monetise them via bug-bounty programs or by selling them to the highest bidder in a dark forum.
It’s also important to understand the intended or potential impact of releasing information to various entities. Will it cause harm to humans? Who benefits from the disclosure? Is it legal to disclose? How does it affect your ‘brand’?
I think we’re heading into a period where there’ll be three main types of disclosure:
- Full disclosure — with no or untrustworthy attribution.
- Time-bound ‘escrow disclosure’ — with attribution, but opaque motivation.
- Bug bounties — where vulnerabilities become the property of the purchasing entity.
I won’t pick a favourite as the nature of each one really depends on the stakeholders in question. However, I’m looking forward to continuing the disclosure discourse in this forum. And I can’t wait to discuss my position — and articulate the elements that influence my perspective — at DCXI in September.
If you want to delve further into the disclosure game, our good friends over at ERNW published a thoughtful assessment back in September 2015. The document touches on so many of the big themes, and discusses how security researchers have approached the problem space.
They reference the not-so-successful RFC and the ISO standard (ISO/IEC 29147:2014) that’s gaining a lot of attention. Although this paper might be overly focused on the two primary stakeholders (finder and vendor), I think it’s a great entry or primer for this discussion.
Also, Bruce Schneier recently posted an observation on the subject specific to Google’s Project Zero. Reflecting on his observations, this subject quickly hits on timely topics near and dear to my heart — namely ethics, discretion and transparency within the cyber domain and ecosystem. And, in my opinion, it helps frame the evolving dystopian landscape.